891ec51dd4
The bootstrap process tries to removes existing apparmor profiles but doesn't consider the case where those are disabled. This change fixes the scenario where the libvirt profile exists but is disabled. Closes-Bug: 1909874 Change-Id: Ied0f2acc420bd5cf1e092c8aee358cba35bd8d5d
268 lines
6.6 KiB
YAML
268 lines
6.6 KiB
YAML
---
|
|
- name: Create kolla user
|
|
user:
|
|
name: "{{ kolla_user }}"
|
|
state: present
|
|
group: "{{ kolla_group }}"
|
|
groups: "sudo"
|
|
append: true
|
|
become: True
|
|
when: create_kolla_user | bool
|
|
|
|
- name: Add public key to kolla user authorized keys
|
|
authorized_key:
|
|
user: "{{ kolla_user }}"
|
|
key: "{{ kolla_ssh_key.public_key }}"
|
|
become: True
|
|
when: create_kolla_user | bool
|
|
|
|
- name: Grant kolla user passwordless sudo
|
|
lineinfile:
|
|
dest: /etc/sudoers.d/kolla-ansible-users
|
|
state: present
|
|
create: yes
|
|
mode: '0640'
|
|
regexp: '^{{ kolla_user }}'
|
|
line: '{{ kolla_user }} ALL=(ALL) NOPASSWD: ALL'
|
|
become: True
|
|
when: create_kolla_user_sudoers | bool
|
|
|
|
- name: Ensure virtualenv has correct ownership
|
|
file:
|
|
path: "{{ virtualenv }}"
|
|
recurse: True
|
|
state: directory
|
|
owner: "{{ kolla_user }}"
|
|
group: "{{ kolla_group }}"
|
|
become: True
|
|
when: virtualenv is not none
|
|
|
|
- name: Ensure node_config_directory directory exists for user kolla
|
|
file:
|
|
path: "{{ node_config_directory }}"
|
|
state: directory
|
|
owner: "{{ kolla_user }}"
|
|
group: "{{ kolla_group }}"
|
|
mode: 0755
|
|
become: True
|
|
when: create_kolla_user | bool
|
|
|
|
- name: Ensure node_config_directory directory exists
|
|
file:
|
|
path: "{{ node_config_directory }}"
|
|
state: directory
|
|
mode: 0755
|
|
become: True
|
|
when: not create_kolla_user | bool
|
|
|
|
- name: Ensure docker config directory exists
|
|
file:
|
|
path: /etc/docker
|
|
state: directory
|
|
become: True
|
|
|
|
- name: Merge Zun docker config
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine(docker_zun_config) }}"
|
|
when:
|
|
- docker_configure_for_zun | bool
|
|
|
|
- name: Warn about deprecations
|
|
debug:
|
|
msg: >
|
|
docker_custom_option is deprecated in favor of docker_custom_config
|
|
when: docker_custom_option | length > 0
|
|
|
|
- name: Setup docker insecure registries
|
|
vars:
|
|
registries: ["{{ docker_registry }}"]
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'insecure-registries': registries}) }}"
|
|
when: docker_registry_insecure | bool
|
|
|
|
- name: Setup docker storage driver
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'storage-driver': docker_storage_driver}) }}"
|
|
when: docker_storage_driver | length > 0
|
|
|
|
- name: Setup docker runtime directory
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}"
|
|
when: docker_runtime_directory | length > 0
|
|
|
|
- name: Warn about docker default iptables
|
|
debug:
|
|
msg: >-
|
|
Docker default iptables rules will be disabled by default from the Victoria 11.0.0
|
|
release. If you have any non-Kolla containers that need this functionality, you should
|
|
plan a migration for this change, or set docker_disable_default_iptables_rules to false.
|
|
when: not docker_disable_default_iptables_rules | bool
|
|
|
|
- name: Disable docker default iptables rules
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'iptables': false}) }}"
|
|
when: docker_disable_default_iptables_rules | bool
|
|
|
|
- name: Merge custom docker config
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine(docker_custom_config) }}"
|
|
|
|
- name: Write docker config
|
|
become: True
|
|
copy:
|
|
content: "{{ docker_config | to_nice_json }}"
|
|
dest: /etc/docker/daemon.json
|
|
mode: 0644
|
|
register: docker_configured
|
|
|
|
- name: Remove old docker options file
|
|
become: True
|
|
file:
|
|
path: /etc/systemd/system/docker.service.d/kolla.conf
|
|
state: absent
|
|
when:
|
|
- not docker_custom_option
|
|
- not docker_configure_for_zun|bool
|
|
|
|
- name: Ensure docker service directory exists
|
|
become: True
|
|
file:
|
|
path: /etc/systemd/system/docker.service.d
|
|
state: directory
|
|
recurse: yes
|
|
when: docker_custom_option | length > 0 or docker_configure_for_zun|bool
|
|
|
|
- name: Configure docker service
|
|
become: True
|
|
template:
|
|
src: docker_systemd_service.j2
|
|
dest: /etc/systemd/system/docker.service.d/kolla.conf
|
|
when: docker_custom_option | length > 0 or docker_configure_for_zun|bool
|
|
|
|
- name: Reload docker service file
|
|
become: True
|
|
systemd:
|
|
name: docker
|
|
daemon_reload: yes
|
|
register: docker_reloaded
|
|
|
|
- name: Get stat of libvirtd apparmor profile
|
|
stat:
|
|
path: /etc/apparmor.d/usr.sbin.libvirtd
|
|
register: apparmor_libvirtd_profile
|
|
when: ansible_distribution == "Ubuntu"
|
|
|
|
- name: Get stat of libvirtd apparmor disable profile
|
|
stat:
|
|
path: /etc/apparmor.d/disable/usr.sbin.libvirtd
|
|
register: apparmor_libvirtd_disable_profile
|
|
when: ansible_distribution == "Ubuntu"
|
|
|
|
- name: Remove apparmor profile for libvirt
|
|
command: apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd
|
|
become: True
|
|
when:
|
|
- ansible_distribution == "Ubuntu"
|
|
- apparmor_libvirtd_profile.stat.exists
|
|
- not apparmor_libvirtd_disable_profile.stat.exists
|
|
|
|
- name: Get stat of chronyd apparmor profile
|
|
stat:
|
|
path: /etc/apparmor.d/usr.sbin.chronyd
|
|
register: apparmor_chronyd_profile
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- enable_chrony | bool
|
|
|
|
- name: Remove apparmor profile for chrony
|
|
command: apparmor_parser -R /etc/apparmor.d/usr.sbin.chronyd
|
|
become: True
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- enable_chrony | bool
|
|
- apparmor_chronyd_profile.stat.exists
|
|
|
|
- name: Create docker group
|
|
group:
|
|
name: docker
|
|
become: True
|
|
|
|
- name: Add kolla user to docker group
|
|
user:
|
|
name: "{{ kolla_user }}"
|
|
append: yes
|
|
groups: docker
|
|
become: True
|
|
when: create_kolla_user | bool
|
|
|
|
- name: Start docker
|
|
service:
|
|
name: docker
|
|
state: started
|
|
become: True
|
|
|
|
- name: Restart docker
|
|
service:
|
|
name: docker
|
|
state: restarted
|
|
become: True
|
|
when: docker_configured.changed or docker_reloaded.changed
|
|
|
|
- name: Enable docker
|
|
service:
|
|
name: docker
|
|
enabled: yes
|
|
become: True
|
|
|
|
- name: Stop time service
|
|
service:
|
|
name: ntp
|
|
state: stopped
|
|
become: True
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- enable_host_ntp | bool
|
|
|
|
- name: Stop time service
|
|
service:
|
|
name: ntpd
|
|
state: stopped
|
|
become: True
|
|
when:
|
|
- ansible_os_family == "RedHat"
|
|
- enable_host_ntp | bool
|
|
|
|
- name: Synchronizing time one-time
|
|
command: ntpd -gq
|
|
become: True
|
|
when: enable_host_ntp | bool
|
|
|
|
- name: Start time sync service
|
|
service:
|
|
name: ntp
|
|
state: started
|
|
enabled: yes
|
|
become: True
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- enable_host_ntp | bool
|
|
|
|
- name: Start time sync service
|
|
service:
|
|
name: ntpd
|
|
state: started
|
|
enabled: yes
|
|
become: True
|
|
when:
|
|
- ansible_os_family == "RedHat"
|
|
- enable_host_ntp | bool
|
|
|
|
- name: Change state of selinux
|
|
selinux:
|
|
policy: targeted
|
|
state: "{{ selinux_state }}"
|
|
become: true
|
|
when:
|
|
- change_selinux | bool
|
|
- ansible_os_family == "RedHat"
|